Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predictable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.
The default session identifier generator creates a SHA-1 hash seeded with Perl's built-in rand function, epoch time, and process number (PID). The PID comes from a limited set of values, epoch time can be guessed or leaked through an HTTP Date header, and the built-in rand function is not suitable for cryptographic applications. The combination of these factors makes the generated session identifiers predictable and can be reproduced by an attacker without knowledge of secret data.
An attacker can predict or guess the correct session identifier and then gain unauthorized access to accounts and resources protected by the session — without needing to know the user's password.
Plack::Middleware::Session::Simple should be updated to version 0.05 or later, which introduces a cryptographically secure session identifier generator. The patch is available in the project repository on GitHub.
Plack::Middleware::Session::Simple in versions prior to 0.05 for Perl
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HKazeburo Plack\
APPKazeburo\